Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-44933

Severity CVSS v4.0:
Pending analysis
Type:
CWE-787 Out-of-bounds Write
Publication date:
26/08/2024
Last modified:
27/08/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()<br /> <br /> A recent commit has modified the code in __bnxt_reserve_rings() to<br /> set the default RSS indirection table to default only when the number<br /> of RX rings is changing. While this works for newer firmware that<br /> requires RX ring reservations, it causes the regression on older<br /> firmware not requiring RX ring resrvations (BNXT_NEW_RM() returns<br /> false).<br /> <br /> With older firmware, RX ring reservations are not required and so<br /> hw_resc-&gt;resv_rx_rings is not always set to the proper value. The<br /> comparison:<br /> <br /> if (old_rx_rings != bp-&gt;hw_resc.resv_rx_rings)<br /> <br /> in __bnxt_reserve_rings() may be false even when the RX rings are<br /> changing. This will cause __bnxt_reserve_rings() to skip setting<br /> the default RSS indirection table to default to match the current<br /> number of RX rings. This may later cause bnxt_fill_hw_rss_tbl() to<br /> use an out-of-range index.<br /> <br /> We already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this<br /> scenario. We just need to move it up in bnxt_need_reserve_rings()<br /> to be called unconditionally when using older firmware. Without the<br /> fix, if the TX rings are changing, we&amp;#39;ll skip the<br /> bnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also<br /> skip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained<br /> in the last paragraph. Without setting the default RSS indirection<br /> table to default, it causes the regression:<br /> <br /> BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40<br /> Read of size 2 at addr ffff8881c5809618 by task ethtool/31525<br /> Call Trace:<br /> __bnxt_hwrm_vnic_set_rss+0xb79/0xe40<br /> bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460<br /> __bnxt_setup_vnic_p5+0x12e/0x270<br /> __bnxt_open_nic+0x2262/0x2f30<br /> bnxt_open_nic+0x5d/0xf0<br /> ethnl_set_channels+0x5d4/0xb30<br /> ethnl_default_set_doit+0x2f1/0x620

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:6.10.4:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools